This Privacy Policy explains how ThoughtfulAI Studios Private Limited ("StoreCrew", "we", "us", or "our") collects, uses, discloses, and safeguards personal data in connection with the StoreCrew platform and the websites at www.storecrew.in and stores hosted on our infrastructure (collectively, the "Services").
We are committed to handling personal data responsibly and in compliance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), and other applicable Indian laws.
Contents
- Scope and our role
- Personal data we collect
- How we use personal data
- Legal basis and consent
- Data of merchants' end-customers
- Sharing and sub-processors
- Cookies and tracking
- Retention
- Security
- Your rights under the DPDP Act
- Children's data
- Cross-border transfers
- Changes to this policy
- Grievance Officer and contact
1. Scope and our role
StoreCrew provides an end-to-end e-commerce platform to Indian merchants and businesses. Two distinct categories of personal data flow through our Services, and our role differs for each:
- Merchant data — Personal data of the businesses, founders, employees, and authorised users who sign up for and use StoreCrew. For this data, we act as a Data Fiduciary under the DPDP Act.
- Shopper data — Personal data of end-customers who purchase from a merchant's StoreCrew-hosted store. For this data, the merchant is the Data Fiduciary and StoreCrew acts as a Data Processor processing such data on the merchant's behalf and instructions.
The Services are intended for users located in India. We do not currently market to or knowingly accept users outside India.
2. Personal data we collect
2.1 From merchants
When you create a StoreCrew account or interact with our Services, we may collect:
- Identity and contact details — full name, email address, mobile number, password (stored hashed), profile photo if provided.
- Business information — business name, business type, address, GSTIN, business website, product categories, and similar operating information.
- Billing and payment metadata — billing name, address, plan selected, invoice history, and tokenised payment references returned by our payment processor. We do not store full card numbers, CVVs, or net-banking credentials — these are handled directly by the payment processor.
- Communications — content of emails, WhatsApp messages, support tickets, and call notes you send to us.
- Usage and device data — IP address, browser type, device identifiers, pages visited, actions taken in the dashboard, timestamps, referral URLs, and approximate location derived from IP.
- Content you upload — product information, images, store copy, customer lists, and other materials you choose to upload to your store.
We do not collect Aadhaar numbers, PAN, or other government-issued identification numbers as part of standard onboarding.
2.2 From visitors to this marketing website
When you browse www.storecrew.in without signing up, server logs may capture your IP address, user agent, and page-view timestamps for security and aggregate analytics. Google Fonts is loaded from Google's CDN, which means Google may observe your IP address when fonts are fetched.
3. How we use personal data
We process merchant personal data for the following purposes:
- Creating and maintaining your account and authenticating you.
- Building, operating, and hosting your store and providing platform features.
- Processing subscription payments, issuing invoices, and managing renewals or refunds.
- Sending operational and transactional communications (account notices, billing alerts, security alerts) over email, SMS, or WhatsApp.
- Providing customer support, troubleshooting, and onboarding.
- Improving the Services, debugging, monitoring performance, and preventing fraud or abuse.
- Sending marketing or product update communications, where you have consented or where permitted by law. You can opt out at any time.
- Complying with legal obligations, responding to lawful requests, and enforcing our Terms.
4. Legal basis and consent
We process personal data on one or more of the following bases under the DPDP Act:
- Consent — given by you when you sign up, opt in to a feature, or affirmatively agree to a specific use.
- Legitimate uses — including performance of the contract you have with us, complying with law, responding to medical or safety emergencies, and other legitimate uses recognised under Section 7 of the DPDP Act.
You can withdraw consent at any time by emailing www.storecrew.in. Withdrawal does not affect the lawfulness of processing carried out before withdrawal, and may affect our ability to provide some or all of the Services to you.
5. Data of merchants' end-customers
When end-customers interact with stores hosted on StoreCrew (for example, by placing an order), the merchant collects personal data such as the customer's name, shipping address, phone number, email, and order history. StoreCrew processes this data only on the merchant's instructions, including:
- Storing orders, customer profiles, and order history in the merchant's account.
- Sending transactional emails, SMS, and WhatsApp notifications related to orders, on the merchant's behalf.
- Routing payment information to the payment processor to complete checkout.
- Aggregated, de-identified analytics to help the merchant understand store performance.
The merchant is the Data Fiduciary for this end-customer data and is responsible for providing notice, obtaining consent, and responding to data principal rights requests in respect of their customers. End-customers with concerns about a specific store should contact that merchant directly. If a merchant directs us to do so, we will assist them in fulfilling such requests.
6. Sharing and sub-processors
We do not sell personal data. We share personal data only with:
- Sub-processors who help us deliver the Services, under contractual confidentiality and data-protection commitments.
- Professional advisors such as auditors, lawyers, and accountants under confidentiality.
- Government, regulatory, or law-enforcement authorities, where required by Indian law or by a binding order of a court or tribunal.
- Acquirers, in the context of a merger, acquisition, financing, or sale of all or part of our business, subject to standard confidentiality obligations.
Our current key sub-processors include:
| Sub-processor | Purpose | Data categories |
|---|---|---|
| Razorpay | Payment processing for subscriptions and store checkouts | Billing details, tokenised payment references, transaction metadata |
| Supabase | Database and file storage | All categories of merchant and shopper data stored in your account |
| WhatsApp Business API | Sending operational and transactional WhatsApp messages | Phone number, message content |
| Twilio | SMS notifications and OTPs | Phone number, message content |
| Resend | Transactional and marketing email delivery | Email address, name, message content |
| PostHog | Product analytics and event tracking inside the dashboard | Usage events, IP address, device identifiers |
We may add or change sub-processors as the Services evolve. The current list above will be kept up to date. Material changes will be notified through our website or in-product notice where reasonably practicable.
7. Cookies and tracking
This marketing website does not currently set first-party analytics or advertising cookies. The site loads Google Fonts from Google's CDN; this is a third-party request that may result in your IP address being logged by Google.
Inside the StoreCrew dashboard and on stores hosted by us, we use strictly necessary cookies (for authentication, session management, and security) and product analytics events through PostHog. Where required by law, we will obtain consent before placing non-essential cookies or trackers.
8. Retention
We retain personal data only for as long as necessary for the purposes described in this policy, including:
- For active accounts: while your account is open and as needed to operate the Services.
- After account closure: typically up to 90 days, after which account data is deleted or anonymised, except where longer retention is required by law (for example, billing records under tax laws are typically retained for at least 8 years).
- Backups: data may persist in encrypted backups for a limited period after deletion from production systems.
9. Security
We implement reasonable security practices and procedures consistent with the SPDI Rules and applicable industry standards, including:
- Encryption of data in transit using TLS.
- Encryption of data at rest at the storage layer.
- Role-based access controls, least-privilege provisioning, and audit logging for production systems.
- Hardened authentication, including hashed passwords and support for time-bound sessions.
- Vendor due diligence and contractual data-protection commitments with sub-processors.
No method of transmission or storage is perfectly secure. If we become aware of a personal data breach affecting your data, we will notify you and the Data Protection Board of India in accordance with the DPDP Act.
10. Your rights under the DPDP Act
Subject to applicable law, you have the following rights with respect to your personal data:
- Right to access a summary of personal data we hold about you and the processing activities undertaken.
- Right to correction and erasure of inaccurate, incomplete, or out-of-date personal data, and erasure where the data is no longer necessary for the purposes for which it was collected.
- Right to grievance redressal, by contacting our Grievance Officer using the details below.
- Right to nominate another person to exercise your rights in the event of your death or incapacity.
- Right to withdraw consent at any time, where processing is based on consent.
To exercise any of these rights, email www.storecrew.in. We may need to verify your identity before responding. We aim to respond within 30 days. If you are unsatisfied with our response, you may approach the Data Protection Board of India.
11. Children's data
StoreCrew is intended for use by businesses and individuals aged 18 or older. We do not knowingly collect personal data of children under 18 in the course of operating the Services. Merchants who run stores aimed at children must obtain verifiable parental consent and comply with applicable provisions of the DPDP Act.
12. Cross-border transfers
Some of our sub-processors operate or replicate data outside India. Where personal data is transferred outside India, we do so only to jurisdictions and providers that are not restricted under the DPDP Act and subject to contractual safeguards. We will update this policy if the Central Government notifies any additional restrictions.
13. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. Material changes will be communicated by email to registered users or by prominent notice on our website. Your continued use of the Services after a change becomes effective constitutes your acceptance of the revised policy.
14. Grievance Officer and contact
In accordance with Rule 5(9) of the SPDI Rules and Section 8(10) of the DPDP Act, the contact details of our Grievance Officer are:
Grievance Officer — StoreCrew (ThoughtfulAI Studios Pvt Ltd)
Email: www.storecrew.in
Address: #100-FF, 16/3, Sitharam Mandir Road, Cubbonpet, Bangalore City, Bangalore North, Bangalore — 560002, Karnataka, India.
We will acknowledge your grievance within a reasonable time and aim to resolve it within 30 days of receipt.
For all other privacy-related queries, write to us at www.storecrew.in.